A customer reports that he cannot open a certificate encrypted document when he is not in the network of his company. When he is in the network it works. Why is that and how can I fix that?

What we do:

We send a pdf document via email to the guy. the pdf is encrypted with a certificate. He has the pfx certificate in his Windows certificate store. the pfx certificate is signed by a CA, which is self signed. All certificates and the CA are generated with Adobe Acrobat. I installed the CA certificate on his machine and it does not change anything. We did not change any settings in th LC server regarding the certificates.

Network connectivity is not necessary to open a "certificate encrypted" PDF as long as the end user has "local" access to the private key that corresponds to the public key that was used to encrypt the PDF. If the "private" key was being pulled from the end user's LDAP account then I would say that network connectivity would be necessary.

To clarify, a "self-signed" certificate does not have a CA (certificate authority) or be "signed" by a certificate authority. This is why it is called a "self-signed" certificate.

A PFX file contains a private key and a public key. Only the end user should have access to the PFX file. The public key can be extracted from the PFX, and saved as a ".cer" (certificate) file (this file can be distributed freely). The "certificate" file is used to encrypt the PDF for the specific user. When the user receives the encrypted PDF and they attempt to open it, they must have the PFX file containing the "private" key, and they must supply the password for the private key.

Make sure that the PFX is installed in the Windows Certificate Store, not just the public key "certificate" file.

I validated this at the customers site and found out that the guy had two windows profiles. Since the certificates are part of the windows profile, it did not work when he took his "offline" profile, because he installed in the other profile only.